samba - Jul 2018 - Continued Group Policy issues

Hi,

On Mon, 16 Jul 2018 17:37:21 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> Thanks for clarification.
>>
>> However, we held back from implementing your suggestion and observed
>> that after about 40 odd hours from the initial publishing of the
>> policies, all clients connecting to any of the Domain Controllers
>> started to get the policies. No client was throwing any error while
>> applying the policies from any of the 4 Domain Controllers.
> Good, but why the delay ?
This is being investigated. Is it something to do with cache, wondering 
whether running "net cache flush" will help to get over this
behavior.
>
>> Does it mean that "idmap.ldb" is taking time to replicate
>> automatically?
> 'idmap.ldb' never replicates automatically, it must be done
manually.
We will include this in our replication script.
>
>> Or is it some other issue? Nothing interesting about
>> this is logged in samba. Sysvol is getting replicated as soon as any
>> policy is added or modified or deleted on the first domain controller.
> How is 'sysvol' being replicated, this again is a manual procedure
on
> Samba AD DC's
Yes, it is being synchronised using rsync. Basically, we are using 
"inotify" to watch for changes (add, modify & delete) in
"sysvol" and
push the changes to all other DCs. I will share our replication scripts 
here shortly.
>
>> Basically we are implementing "Software While Listing"
policies and
>> these are defined as computer policies. The error started to show up
>> once the policy was linked.
>>
>> Any hints on this behavior?
>>
> No, but it might help if you post more info on your setup.
What info you need? Find below the smb.conf. It is same on all Domain 
Controllers.

# Global parameters
[global]
         netbios name = PDC
         realm = ****.COM
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = ****
         idmap_ldb:use rfc2307 = yes
         ldap server require strong auth = No
# Logs and events
         eventlog list = Security
         log level = 3
         log file = /var/log/samba/dc1.%T.log
         max log size = 1000000

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/****.com/scripts
     read only = No

[sysvol]
      path = /usr/local/samba/var/locks/sysvol
      read only = No
>
> Rowland
>

On Fri, 20 Jul 2018 06:52:06 +0530
Anantha Raghava via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> On Mon, 16 Jul 2018 17:37:21 +0530
> > Anantha Raghava via samba <samba at lists.samba.org> wrote:
> >
> >> Hi,
> >>
> >> Thanks for clarification.
> >>
> >> However, we held back from implementing your suggestion and
> >> observed that after about 40 odd hours from the initial publishing
> >> of the policies, all clients connecting to any of the Domain
> >> Controllers started to get the policies. No client was throwing
> >> any error while applying the policies from any of the 4 Domain
> >> Controllers.
> > Good, but why the delay ?
> This is being investigated. Is it something to do with cache,
> wondering whether running "net cache flush" will help to get over
> this behavior.
Possibly, but I thought that the cache should be consulted first and if
the user isn't found, then via winbind, ask AD. Just a thought, is nscd
or similar running ?
> >
> >> Does it mean that "idmap.ldb" is taking time to
replicate
> >> automatically?
> > 'idmap.ldb' never replicates automatically, it must be done
> > manually.
> We will include this in our replication script.
> >
> >> Or is it some other issue? Nothing interesting about
> >> this is logged in samba. Sysvol is getting replicated as soon as
> >> any policy is added or modified or deleted on the first domain
> >> controller.
> > How is 'sysvol' being replicated, this again is a manual
procedure
> > on Samba AD DC's
> Yes, it is being synchronised using rsync. Basically, we are using 
> "inotify" to watch for changes (add, modify & delete) in
"sysvol" and
> push the changes to all other DCs. I will share our replication
> scripts here shortly.
I have been working on something similar, everytime I think I am
getting close, I think of another enhancement ;-)
> >
> >> Basically we are implementing "Software While Listing"
policies and
> >> these are defined as computer policies. The error started to show
> >> up once the policy was linked.
Surely, if it works without the policies, but doesn't with them, then
these could be the problem and deserve a good look at ?
> >>
> >> Any hints on this behavior?
> >>
> > No, but it might help if you post more info on your setup.
> What info you need? Find below the smb.conf. It is same on all Domain 
> Controllers.
> 
> # Global parameters
> [global]
>          netbios name = PDC
>          realm = ****.COM
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = ****
>          idmap_ldb:use rfc2307 = yes
>          ldap server require strong auth = No
> # Logs and events
>          eventlog list = Security
>          log level = 3
>          log file = /var/log/samba/dc1.%T.log
>          max log size = 1000000
> 
> [netlogon]
>      path = /usr/local/samba/var/locks/sysvol/****.com/scripts
>      read only = No
> 
> [sysvol]
>       path = /usr/local/samba/var/locks/sysvol
>       read only = No
The only thing wrong with that smb.conf is the netbios name, I take it
you didn't get the memo ;-)

There is no such thing as a PDC in AD, all DC's are equal, it is just
that some of them hold FSMO roles.

Rowland

Hi,
> On Fri, 20 Jul 2018 06:52:06 +0530
> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> On Mon, 16 Jul 2018 17:37:21 +0530
>>> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks for clarification.
>>>>
>>>> However, we held back from implementing your suggestion and
>>>> observed that after about 40 odd hours from the initial
publishing
>>>> of the policies, all clients connecting to any of the Domain
>>>> Controllers started to get the policies. No client was throwing
>>>> any error while applying the policies from any of the 4 Domain
>>>> Controllers.
>>> Good, but why the delay ?
>> This is being investigated. Is it something to do with cache,
>> wondering whether running "net cache flush" will help to get
over
>> this behavior.
> Possibly, but I thought that the cache should be consulted first and if
> the user isn't found, then via winbind, ask AD. Just a thought, is nscd
> or similar running ?
Just to clarify, nscd or similar daemons are not running in our 
environment. We use CentOS 7.5 minimal installation.
Coming to using only "net cache flush", we will test it in our 
environment and report back here.
>
>>>> Does it mean that "idmap.ldb" is taking time to
replicate
>>>> automatically?
>>> 'idmap.ldb' never replicates automatically, it must be done
>>> manually.
>> We will include this in our replication script.
>>>> Or is it some other issue? Nothing interesting about
>>>> this is logged in samba. Sysvol is getting replicated as soon
as
>>>> any policy is added or modified or deleted on the first domain
>>>> controller.
>>> How is 'sysvol' being replicated, this again is a manual
procedure
>>> on Samba AD DC's
>> Yes, it is being synchronised using rsync. Basically, we are using
>> "inotify" to watch for changes (add, modify & delete) in
"sysvol" and
>> push the changes to all other DCs. I will share our replication
>> scripts here shortly.
> I have been working on something similar, everytime I think I am
> getting close, I think of another enhancement ;-)
Find the sample script below. We add other DCs as needed to the same 
script. To include, "net cache flush", we will have to modify this 
script that runs on first DC or (DC1 or PDC ;-)

#!/bin/sh
DIR="/usr/local/samba/var/locks/sysvol/test.com/Policies/"
inotifywait -m -r -e moved_to -e modify -e delete -e create "$DIR" | 
while read f
do
     echo $f
     if [[ $f = *.* ]]; then
{
export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH
samba-tool ntacl sysvolreset &> /dev/null
sleep 5
rsync -XAavz --delete-after /usr/local/samba/var/locks/sysvol/ 
dc1:/usr/local/samba/var/locks/sysvol

  }
  fi
done
>
>>>> Basically we are implementing "Software While
Listing" policies and
>>>> these are defined as computer policies. The error started to
show
>>>> up once the policy was linked.
> Surely, if it works without the policies, but doesn't with them, then
> these could be the problem and deserve a good look at ?
>
>>>> Any hints on this behavior?
>>>>
>>> No, but it might help if you post more info on your setup.
>> What info you need? Find below the smb.conf. It is same on all Domain
>> Controllers.
>>
>> # Global parameters
>> [global]
>>           netbios name = PDC
>>           realm = ****.COM
>>           server role = active directory domain controller
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>           workgroup = ****
>>           idmap_ldb:use rfc2307 = yes
>>           ldap server require strong auth = No
>> # Logs and events
>>           eventlog list = Security
>>           log level = 3
>>           log file = /var/log/samba/dc1.%T.log
>>           max log size = 1000000
>>
>> [netlogon]
>>       path = /usr/local/samba/var/locks/sysvol/****.com/scripts
>>       read only = No
>>
>> [sysvol]
>>        path = /usr/local/samba/var/locks/sysvol
>>        read only = No
> The only thing wrong with that smb.conf is the netbios name, I take it
> you didn't get the memo ;-)
>
> There is no such thing as a PDC in AD, all DC's are equal, it is just
> that some of them hold FSMO roles.
>
> Rowland
I understand, there is no such thing as PDC. Server is just named that 
way as it handles PDC Emulator role. :-)

Thanks & regards,
Anantha Raghava
>   
>
>